So we’ve seen how a trust is setup, and how we can manipulate the domain controllers involved, can we do the same for authentication traffic? The answer would be yes, but why is it a yes, and how is the main question.

While many believe WINS or LMHOSTS can help us on external (non-forest) trusts, we dive into a packet capture that has captured the opening of a fileshare on a remote forest.

For this demo, I have installed a resource server in the forestroot domain, and a RIVER client on the OCEANFLOOR domain.

The first packet that interests us is the call for the DNS record of the Resource server

Again, the first one to respond is the winner, however while the domain controller of the OCEANFLOOR do not respond that quickly (relatively speaking) the domain controller also fires a DNS lookup for the general domain, just in case: DNS:QueryId = 0x6B93, QUERY (Standard query), Query for _ldap._tcp.dc._msdcs.OCEANFLOOR.local of type SRV on class Internet

And here is where it get’s interesting, while the LDAP is performed, the server actually also tries to locate the domain controllers of the OCEANFLOOR on Netbios!. This could be due to the fact that the OCEANFLOOR LDAP lookup takes some time, or that it does this always (something for next time). The better question then if off course, will the dc use the LDAP responses, or does it prefer the WINS lookup (need to setup a larger test lab 🙂 )

In my case WINS does not answer, the OCEANDC01 wins the run for the LDAP lookup..